Initial commit: Pixel AI comic/video creation platform

- FastAPI backend with SQLModel, Alembic migrations, AgentScope agents - Next.js 15 frontend with React 19, Tailwind, Zustand, React Flow - Multi-provider AI system (DashScope, Kling, MiniMax, Volcengine, OpenAI, etc.) - All HTTP clients migrated from sync requests to async httpx - Admin-managed API keys via environment variables - SSRF vulnerability fixed in ensure_url()
2026-04-29 01:20:12 +08:00
commit f9f4560459
808 changed files with 151724 additions and 0 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -0,0 +1,108 @@
+# ===========================================
+# Pixel Backend Environment Configuration
+# ===========================================
+# Copy this file to .env and fill in your values.
+
+# ---- Server ----
+NODE_ENV=development
+PY_PORT=8000
+
+# ---- Database ----
+# Default: SQLite (backend/data/pixel.db)
+# DATABASE_URL=postgresql://user:pass@localhost:5432/pixel
+# DB_PATH=             # override SQLite file path
+# DATA_DIR=            # override data directory
+
+# Database connection pool
+# DB_POOL_SIZE=20
+# DB_MAX_OVERFLOW=10
+# DB_POOL_TIMEOUT=30
+# DB_POOL_RECYCLE=3600
+# DB_POOL_PRE_PING=true
+# SLOW_QUERY_THRESHOLD=1.0
+
+# ---- Redis ----
+REDIS_URL=redis://localhost:6379
+REDIS_ENABLED=1
+
+# ---- JWT Auth ----
+# Auto-generated in dev; MUST set in production
+# JWT_SECRET_KEY=your-secret-key-here
+ACCESS_TOKEN_EXPIRE_MINUTES=30
+REFRESH_TOKEN_EXPIRE_DAYS=7
+
+# ---- Encryption Key (for user API key storage) ----
+# Auto-generated in dev; MUST set in production
+# MASTER_ENCRYPTION_KEY=your-fernet-key-here
+
+# ---- CORS ----
+# CORS_ALLOWED_ORIGINS=https://your-app.example.com
+# CORS_DEV_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
+# ALLOW_DEV_ORIGINS=1
+
+# ---- Storage (OSS) ----
+STORAGE_TYPE=local
+# OSS_REGION=oss-cn-shanghai
+# OSS_ENDPOINT=oss-cn-shanghai.aliyuncs.com
+# OSS_BUCKET=your-bucket-name
+# ALIBABA_CLOUD_ACCESS_KEY_ID=your_key
+# ALIBABA_CLOUD_ACCESS_KEY_SECRET=your_secret
+
+# ---- Email (SMTP) ----
+# SMTP_HOST=
+# SMTP_PORT=587
+# SMTP_USER=
+# SMTP_PASSWORD=
+# SMTP_FROM=
+# SMTP_TLS=true
+# FRONTEND_URL=http://localhost:3000
+
+# ===========================================
+# AI Provider API Keys
+# All users share these system-level keys.
+# ===========================================
+
+# DashScope (Qwen LLM, Wanx Image, Z-Image)
+# DASHSCOPE_API_KEY=sk-xxx
+# DASHSCOPE_BASE_URL=  # optional
+
+# VolcEngine / 火山引擎 (Doubao LLM, video)
+# VOLCENGINE_API_KEY=xxx
+
+# Google (Gemini LLM)
+# GOOGLE_API_KEY=xxx
+
+# OpenAI
+# OPENAI_API_KEY=sk-xxx
+# OPENAI_BASE_URL=  # optional, for proxies
+
+# MiniMax / 海螺 (video, audio, music)
+# MINIMAX_API_KEY=xxx
+# MINIMAX_GROUP_ID=xxx
+
+# Kling / 可灵 (video) — requires both access_key and secret_key
+# KLING_ACCESS_KEY=xxx
+# KLING_SECRET_KEY=xxx
+# KLING_API_BASE=https://api-beijing.klingai.com/v1
+
+# Midjourney / 有川 (image)
+# MIDJOURNEY_API_KEY=xxx
+# MIDJOURNEY_PROXY_URL=xxx
+# YOUCHUAN_APP_ID=xxx
+# YOUCHUAN_SECRET_KEY=xxx
+
+# ModelScope (image, video)
+# MODELSCOPE_API_TOKEN=xxx
+
+# ---- Script Agent (AgentScope) ----
+# Override keys specifically for script analysis agents
+# SCRIPT_DASHSCOPE_API_KEY=xxx
+# SCRIPT_DASHSCOPE_BASE_URL=xxx
+# SCRIPT_OPENAI_API_KEY=xxx
+# SCRIPT_OPENAI_BASE_URL=xxx
+
+# ---- Monitoring ----
+# ENABLE_METRICS=true
+# LOG_LEVEL=INFO
+# TRACING_ENABLED=0
+# OTLP_ENDPOINT=http://localhost:4317